Physical Security Outlook: Beware Bank Robbers and ATM Thieves

Bank robberies are up, ATMs are at risk, and greeters can be one of an institution's best defenses.

These are among the physical security insights shared by Larry Brown, chair of ASIS International's Banking and Finance Services Council.

Brown is Senior Vice President and Director of Risk Management for First Citizens BancShares, [NASDAQ: FCNCA] a century-old bank holding company with more than $16 billion in assets, more than 5,000 employees and 400 + banking centers in 15 states. Brown's areas of responsibility include physical security, internal controls, loss prevention, investigations, and business continuity. He joined First Citizens in 1983 after eight years in law enforcement.

ASIS International is one of the best-known physical security associations in the world, and has more than 35,000 members worldwide. Coming back from a recent ASIS leadership meeting in Washington, D.C., Brown shared some of his insights on the state of physical security in financial institutions and the U.S. financial services industry.

Q: Is the financial services industry here in the United States better prepared than other industries in terms of physical security risks?

Brown: I think so. Part of that is due to the conservative nature of our industry and the regulatory oversight and compliance requirements placed on our industry. Along with that is the increased focus on physical security and security as a whole due to recent events, including 9/11. That event has made most industries, including the banking industry, more cognizant of the need to be prepared and has made us more resilient. We're examining contract relationships and vendor relationships, so we're not just interested what happens if a disaster occurs to our building or our institution, but also what happens if a disaster occurs to one of our suppliers or vendors. It has caused all of us to take a step back and look deeper at what the supply chain would look like in a crisis and realize we are more dependent upon one another. One example I point to is the relationships between the critical infrastructures and how they are linked together as pandemic planning has continued in the U.S. over the last couple of years.

Q: Who is a good representative of physical security among mid-sized institutions in the U.S.?

Brown: I would say the physical security that my institution has I would put up against any of the top 100 banks. We're frequently complemented by law enforcement and the media on the quality of our digital video. I think that in many respects physical security has improved over the last years. Local, state and federal law enforcement has become strained from the standpoint of resources since 9/11, so it has required financial institutions and other industries to provide more of their own security and to investigate security events to the degree they are capable of. This is a different approach than before when they did refer it to law enforcement. It is more packaged than it had been in years past, with more evidence and forensics collected for law enforcement.

Q: How do you view the issue of physical and logical convergence, and have you looked at it at your institution?

Brown: At First Citizens, we have a layered security approach, as you'd find in most financial institutions of our size. There is some convergence going on in the financial services industry. I just recently surveyed 10 other institutions to see where they were on this issue, and where other groups were reporting in those institutions, whether it be business continuity, or physical security, or information security. These institutions were the size of First Citizens or larger, and there wasn't very little organizational convergence of the physical and information security departments, contrary to what we're all reading about.
Banks' physical and information security departments have always relied on one another for years, and as long as you have a strategic partnership between the two you're going to know when there are problems and when you're going to need to partner on things. It depends on the institution, but I think it can work either way. On the technology side, we do utilize the bank's data networks to run some of our physical security operations. I don't want to disclose too much of our set up, but I will say this is one area where we partner and use technology resources, and it is a two-way street. Sometimes the information security department will need video surveillance from us for an investigation they're performing, and there are times we need their expertise.

Q: In terms of physical risk assessments, what would you advise your peers, based on your experience?

Brown: I think the frequency depends on the history of crime the institution has experienced, and the history of crime in their geographic area. What are their industry peers doing? From a liability standpoint, that is one of the things you'll be measured against. Based on we're in such a litigious society today, you want to provide the right level of security -- not just because it's the right thing to do, but also because of possible litigation.
We use a few industry services to get a crime index score, some come from law enforcement, to get a picture of where our institution is in terms of risk of crime. This isn't everything you should consider, because we're seeing an increase in organized criminals, and more violent criminals who are more transient than in years past. So while they may burglarizing ATMs in Phoenix this week, next week they may be in Atlanta, and then in Baltimore the week after. Added to this is the fact that the criminals learn from each other. These 'cluster' crimes hit multiple institutions in an area and then quickly move onto another state or region of the country. There are also the copycat criminals who will attempt similar crimes they see happening in other parts of the country.

Q: What do you recommend to reduce bank robbery risks?

Brown: Institutions should look at hardening measures, and then also take a very hard look at what are the things that make your particular property more attractive to a criminal? Sometimes what makes your institution more attractive to a criminal are the same things that make it attractive to an honest customer. Institutions want to be convenient to their customers and be in a well-traveled location with easy access in and out of the parking lot and your building - these are the same features a criminal will seek out when targeting an institution. You need to figure out how to best protect the building, so you're able to be inviting to the 99.99% of your customer base that is honest, but you make that criminal a little uncomfortable. Not wishing bad luck on your competitors, but you don't want to be the weakest bank in the area, thus becoming the target of choice of criminals.

Q: What are other physical crimes institutions should be aware of and prepare their institutions for?

Brown: Some of the less sophisticated and less organized crimes are the ones where an ATM is hit with a large vehicle and the criminals load the ATM vault onto a truck. This kind of crime is usually done by a local criminal who has seen something similar on the news and sees it as an easy crime to perpetrate. It has happened with ATMs not located in banks, such as ones located in convenience stores where they wrap a chain around the ATM and drag it out of the store.
It is a more violent society we live in. Bank robberies were up in 2007. Atlanta, GA was the bank robbery capital of the world, something which they never have been. Dallas and Los Angeles come in second and third with the highest number of bank robberies.

Q: Do you use greeters at your institution?

Brown: We do use greeters (customer service representatives) at some of our branches. They certainly can be a criminal deterrent, but they also serve a customer service purpose as well. In making that customer feel welcome, and greeting them with a friendly smile and question of how they can be helped will make a criminal realize they can't just come into the institution without some direct contact with an employee. Criminals want to get in and out as quickly as possible, and blend into the environment without being seen.

About the Author

Linda McGlasson is a seasoned writer and editor with 20 years of experience in writing for corporations, business publications and newspapers. She has worked in the Financial Services industry for more than 12 years. Most recently Linda headed information security awareness and training and the Computer Incident Response Team for Securities Industry Automation Corporation (SIAC), a subsidiary of the NYSE Group (NYX). As part of her role she developed infosec policy, developed new awareness testing and led the company's incident response team. In the last two years she's been involved with the Financial Services Information Sharing Analysis Center (FS-ISAC), editing its quarterly member newsletter and identifying speakers for member meetings.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.in, you agree to our use of cookies.